CN114297708A - Access control method, device, equipment and storage medium - Google Patents
Access control method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114297708A CN114297708A CN202111616579.0A CN202111616579A CN114297708A CN 114297708 A CN114297708 A CN 114297708A CN 202111616579 A CN202111616579 A CN 202111616579A CN 114297708 A CN114297708 A CN 114297708A
- Authority
- CN
- China
- Prior art keywords
- access
- application
- terminal
- target
- target resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application provides an access control method, an access control device, access control equipment and a storage medium, wherein the method comprises the following steps: receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request; acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier; judging whether the terminal has the authority of accessing the target resource through the target application or not according to the attribute information and the access configuration information; and when the terminal has the authority of accessing the target resource through the target application, allowing the terminal to access the target resource through the target application. According to the application program verification method and device, the application program of the data resource access initiated by the user is verified in the access process, so that the safety and the credibility of the main body are ensured, and the data access safety is improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to an access control method, apparatus, device, and storage medium.
Background
The access control provides a set of methods to identify all functions in the system, organize and host, organize and identify all data, and provide a simple and unique interface, one end of which is an application system and the other end of which is a permission engine. The rights engine answers only: who has the right to perform some action (motion, computation) on some resource. The returned results are only: with or without, the rights engine is abnormal.
Access control is a technique that is needed for almost all systems, including computer systems and non-computer systems. Access control is a technique for restricting a user's access to certain information items, or for restricting the use of certain control functions, per a defined set of user identities and to which they belong. Access control is typically used by system administrators to control a user's access to network resources such as servers, directories, files, etc.
The access control comprises a subject, an object and an access security policy, the traditional model mainly identifies the subject initiated by a service through a user identity and a terminal identity, the object control mainly focuses on the resource and authorization of the subject, a carrier initiating an actual data request is not controlled, and the risk of continuous illegal requests for the protected resource in the access process through a bug or a fake script program exists.
Disclosure of Invention
An object of the embodiments of the present application is to provide an access control method, apparatus, device, and storage medium, which ensure security and reliability of a subject by performing verification on an application program that a user initiates data resource access in an access process.
A first aspect of an embodiment of the present application provides an access control method, including: receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request; acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier; judging whether the terminal has the authority of accessing the target resource through the target application or not according to the attribute information and the access configuration information; and when the terminal has the authority of accessing the target resource through the target application, allowing the terminal to access the target resource through the target application.
In an embodiment, the determining, according to the attribute information and the access configuration information, whether the terminal has a right to access the target resource through the target application includes: judging whether the access configuration information corresponding to the target resource identifier is enabled or not; and when the access configuration information corresponding to the target resource identifier is not enabled, determining that the terminal has the authority of accessing the target resource through the target application.
In an embodiment, the determining, according to the attribute information and the access configuration information, whether the terminal has a right to access the target resource through the target application further includes: when the access configuration information corresponding to the target resource identifier is enabled, judging whether the attribute information is marked as a trusted application in the access configuration information; and when the attribute information is marked as a trusted application in the access configuration information, determining that the terminal has the authority of accessing the target resource through the target application.
In an embodiment, the determining, according to the attribute information and the access configuration information, whether the terminal has a right to access the target resource through the target application further includes: and when the attribute information is marked as an untrusted application in the access configuration information, determining that the terminal does not have the authority of accessing the target resource through the target application.
In one embodiment, the attribute information includes: one or more of a package name, an application fingerprint, a publisher, or a program signature of the target application.
In an embodiment, before the receiving the access request sent by the terminal, the method further includes: receiving an identity authentication request of the terminal, wherein the identity authentication request carries an identifier of the terminal; and performing identity authentication on the terminal according to a target authentication strategy corresponding to the identifier of the terminal, and executing the step of receiving the access request sent by the terminal when the identity authentication of the terminal is successful.
In one embodiment, the target authentication policy includes: user identity authentication and/or device authentication.
A second aspect of the embodiments of the present application provides an access control apparatus, including: the first receiving module is used for receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request; the acquisition module is used for acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier; the judging module is used for judging whether the terminal has the authority of accessing the target resource through the target application according to the attribute information and the access configuration information; and the allowing module is used for allowing the terminal to access the target resource through the target application when the terminal has the authority of accessing the target resource through the target application.
In one embodiment, the determining module is configured to: judging whether the access configuration information corresponding to the target resource identifier is enabled or not; and when the access configuration information corresponding to the target resource identifier is not enabled, determining that the terminal has the authority of accessing the target resource through the target application.
In an embodiment, the determining module is further configured to: when the access configuration information corresponding to the target resource identifier is enabled, judging whether the attribute information is marked as a trusted application in the access configuration information; and when the attribute information is marked as a trusted application in the access configuration information, determining that the terminal has the authority of accessing the target resource through the target application.
In an embodiment, the determining module is further configured to: and when the attribute information is marked as an untrusted application in the access configuration information, determining that the terminal does not have the authority of accessing the target resource through the target application.
In one embodiment, the attribute information includes: one or more of a package name, an application fingerprint, a publisher, or a program signature of the target application.
In one embodiment, the method further comprises: a second receiving module, configured to receive an identity authentication request of the terminal before receiving an access request sent by the terminal, where the identity authentication request carries an identifier of the terminal; and the authentication module is used for performing identity authentication on the terminal according to a target authentication strategy corresponding to the identifier of the terminal and executing the step of receiving the access request sent by the terminal when the identity authentication of the terminal is successful.
In one embodiment, the target authentication policy includes: user identity authentication and/or device authentication.
A third aspect of embodiments of the present application provides an electronic device, including: a memory to store a computer program; a processor configured to execute the computer program to implement the method of the first aspect and any embodiment of the present application.
A fourth aspect of embodiments of the present application provides a non-transitory electronic device-readable storage medium, including: a program which, when run by an electronic device, causes the electronic device to perform the method of the first aspect of an embodiment of the present application and any embodiment thereof.
According to the access control method, the access control device, the access control equipment and the storage medium, credibility access configuration information is set for resource information in advance, in the process of accessing the resource by the terminal, the permission verification process for an application program in the access terminal is added, whether the target application has the permission of accessing the target resource is judged through the attribute information of the target application and the access configuration information of the target resource to be accessed, only when the target application has the permission of accessing the target resource, the terminal is allowed to access the target resource through the target application, the credibility of an access subject is further ensured, and the safety of data access is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic view of a scenario of an access control system according to an embodiment of the present application;
fig. 3 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 4 is a flowchart illustrating an access control method according to an embodiment of the present application;
FIG. 5 is a schematic view of a scenario of an access control system according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an access control device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 are connected by a bus 10. The memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 may perform all or part of the processes of the methods in the embodiments described below, so as to ensure the credibility of the access subject and improve the security of data access.
In an embodiment, the electronic device 1 may be a mobile phone, a tablet computer, a notebook computer, a desktop computer, or a large computing system composed of multiple computers.
For more clearly describing the technical content of the embodiment, the related application scenarios are exemplified as follows:
and (3) access control: and corresponding authority which can access the internal data is granted to the identity (the user and the equipment) of the subject through authentication, authorization and access control strategies.
ABAC: attribute Based Access Control, which is the Control of Access rights to users Based on attributes, i.e., Based on a series of attributes and environmental conditions assigned to users and resources.
The traditional access control comprises a subject, an object and an access security policy, wherein the traditional model mainly identifies the subject initiated by a service through a user identity and a terminal identity, the object control mainly focuses on the resource and authorization of the subject, a carrier initiating an actual data request is not controlled, and the risk of continuous illegal requests for the protected resource in the access process through a bug or a fake script program exists. In order to solve the above problem, embodiments of the present application provide a method for enhancing subject authentication, where verification is performed on an application program that a user initiates data resource access in an access process, so as to ensure security and credibility of a subject.
As shown in fig. 2, which is a schematic view of a scenario of an access control system 100 according to an embodiment of the present application, the access control system 100 includes: the client 101 and the server 102, the client 101 may be loaded in a terminal, the server 102 may be loaded in a server, and the whole access control may be divided into an authentication phase and an access phase, where:
and (3) an authentication stage: and a main body verification stage based on the user equipment environment and the user identity information.
And an access phase: and after the authentication phase is completed, accessing the authorized application.
Main body information: and the access control subject set is composed of equipment, people and application access programs.
Object information: access to data and resources protected in the control system 100.
A terminal engine: the endpoint checking and analyzing component is mainly responsible for sensing the terminal environment, and collecting and analyzing the terminal application attributes in the example.
And (3) authentication strategy: based on a many-to-many combination of user tags, resource tags, access environment attributes, authentication capabilities. The rules configure what type of authentication needs to be done under what conditions.
The trusted application policy: and marking the application with certain attributes as a trusted application or an untrusted application based on the high-level access rule of the resource configuration, and configuring the rule that the resource only allows the access of the specified application and forbids the access of the specified application.
The access control method of the present embodiment is further described in detail with reference to the drawings.
Please refer to fig. 3, which is an access control method according to an embodiment of the present application, and the method may be executed by the electronic device 1 shown in fig. 1 as the server 102, and may be applied in the scenario of the access control system 100 shown in fig. 2, so as to perform verification on an application program that a user initiates data resource access in an access process, ensure security and credibility of a subject, and improve security of data access. The method comprises the following steps:
step 301: and receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request.
In this step, when the user wants to access some resources of the server 102, the client application may send an access request to the server 102, and after receiving the access request, the server 102 may parse the target resource identifier that the terminal wants to access and the application identifier of the application program used for arbitration from the target resource identifier. The target resource identifier may be information such as a resource type, a resource name, a resource storage location, and the like. The application identifier may be distinctive information such as the name and version number of the target application program. The application program refers to software used when a user accesses a service resource on a terminal device, such as a browser program or other client program for accessing a web resource.
Step 302: and acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier.
In this step, attribute information of the analysis target application may be collected by the analysis engine of the server 102, where the attribute information is used to characterize the security features of the target application, and the attribute information includes but is not limited to: one or more of a package name, an application fingerprint, a publisher, or a program signature of the target application. The server 102 may perform access right configuration on each data resource in advance, and may configure a trusted application or an untrusted application for the data resource.
In an actual scene, an administrator can classify data resource access subjects (terminals and application programs thereof) by formulating a trusted application policy based on actual needs, and tags that meet the policy are trusted applications, and tags that do not meet the policy are untrusted applications. And generating access configuration information corresponding to each data resource, storing the resource identifier and the corresponding access configuration information in a list one-to-one correspondence manner, and directly calling the access configuration information corresponding to the target resource identifier when an access request comes.
Step 303: and judging whether the terminal has the authority of accessing the target resource through the target application or not according to the attribute information and the access configuration information. If yes, go to step 304.
In this step, the access configuration information may include a trusted application policy of the data resource: the application is marked with a label through multi-dimensional application program attributes such as application fingerprints, program signatures and issuing manufacturers, the label application is defined as credible and untrustworthy, and whether the terminal has the authority of accessing the target resource through the target application or not is judged when the terminal accesses the object data. For example, the user accesses the resource data of the object information by using the application a (access subject three), enters an application authentication process, and the analysis engine of the server 102 collects and analyzes the attribute of the application a through the application authentication engine, compares the attribute with the configuration policy of the authorized service trusted application, and determines whether the application a has an access right. If yes, go to step 304. Otherwise, the application program A does not have the access right, a prompt can be sent out so that relevant personnel can find out malicious attack behaviors in time and process the malicious attack behaviors, and the safety of the data access process is improved.
The application label may be a label for dynamically classifying the application based on a trusted application policy. The application fingerprint may be computed as an application fingerprint by performing a digest algorithm on a main program of the application program, computing an application unique identifier.
Step 304: allowing the terminal to access the target resource through the target application.
In this step, when the terminal has the right to access the target resource through the target application, it is indicated that the target application in the terminal is safe and trusted, and may be allowed to access the relevant target resource.
According to the access control method, the credibility access configuration information is set for the resource information in advance, the permission verification process for the application program in the access terminal is added in the resource access process of the terminal, whether the target application has the permission for accessing the target resource is judged through the attribute information of the target application and the access configuration information of the target resource to be accessed, the terminal is allowed to access the target resource through the target application only when the target application has the permission for accessing the target resource, the credibility of an access subject is further ensured, and the safety of data access is improved.
Please refer to fig. 4, which is an access control method according to an embodiment of the present application, and the method may be executed by the electronic device 1 shown in fig. 1 as the server 102, and may be applied in the scenario of the access control system 100 shown in fig. 2, so as to perform verification on an application program that a user initiates data resource access in an access process, ensure security and credibility of a subject, and improve security of data access. The method comprises the following steps:
step 401: and receiving an identity authentication request of the terminal, wherein the identity authentication request carries an identifier of the terminal.
In this step, for the data resource with high information security requirement, a dual authentication mode of an authentication phase and an access phase may be adopted to further improve the security of data access. Before accessing the resource, the terminal may be authenticated, referring to the scenario shown in fig. 2, a user (access principal one) opens an authentication client program in a terminal engine (access principal two), inputs account information (such as an account password, a short message verification code, and the like), and generates an authentication request, where the authentication request carries a unique identifier of the terminal, such as a device number.
Step 402: and authenticating the identity of the terminal according to a target authentication strategy corresponding to the identifier of the terminal, and executing the step 403 when the identity of the terminal is successfully authenticated.
In this step, the authentication policy may be configured by the administrator based on the actual needs. The authentication phase may include: device authentication and/or user account authentication. As shown in fig. 5, that is, the target authentication policy includes: and (3) independently carrying out user identity authentication, or independently carrying out equipment authentication, or calculating that the authentication stage is successful when the user identity authentication and the terminal equipment authentication are both successful. In an actual scene, terminals and users can be grouped, and terminals or users in different groups have different target authentication strategies. For example, for an enterprise employee, only device authentication may be passed, while for a non-enterprise employee, user identity authentication and terminal device authentication are required to be performed simultaneously to ensure security.
The authentication phase process may be: the user (access subject I) opens an authentication client program at a terminal engine (access subject II), account information (such as an account number password, a short message verification code and the like) is input, the authentication engine is configured to sense the terminal environment security and verify the user identity information according to an authentication strategy, and the subject inspection in the authentication stage is completed after the verification is passed. And when the identity authentication of the terminal is successful, step 403 is performed.
Step 403: and receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request. See the description of step 301 in the above embodiments for details.
Step 404: and acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier. See the description of step 302 in the above embodiments for details.
Step 405: and judging whether the access configuration information corresponding to the target resource identifier is enabled or not. If yes, go to step 406, otherwise go to step 407.
In this step, it is assumed that in the access control system 100, the intranet of the user has a highly sensitive financial resource and a less sensitive forum resource, where the forum resource may not enable its access configuration information due to low confidentiality, and the financial resource belongs to a highly confidential resource and may select to enable its corresponding access configuration information.
Step 406: it is determined whether the attribute information is marked as a trusted application in the access configuration information. If yes, go to step 407, otherwise go to step 409.
In this step, it is assumed that the access configuration information is: the financial resources and the forum resources can be accessed through the browser, and the financial resources have corresponding financial client apps. When the access configuration policy is not enabled, the financial resources and the forum resources are both accessible through either browser. When the access configuration strategy is started, the financial resources are configured to be accessed only by the trusted application, the forum resources cannot be accessed by the untrusted application, the application matched with the name of the financial App package is configured to be the trusted application, the application matched with the application fingerprint of the IE X (reported to contain a bug) program is configured to be the untrusted application, at the moment, the financial resources can be accessed only through the financial App, and the forum resources can be accessed only through the browser of the non-IE X. Therefore, the main body limitation of resource access is further controlled, and the condition that a user account is leaked or a legal user uses a suspicious program to access and attack intranet resources in a non-subjective way is avoided.
When the access configuration information corresponding to the target resource identifier is enabled, if the target resource is a financial resource, the target application is an application having an application fingerprint of an IE X (which has been reported to include a bug), and the application having the application fingerprint of the IE X is marked as an untrusted application, and step 409 is performed.
If the target resource is a financial resource, the target application is a financial App, and the target application is a trusted application, step 407 is entered.
Step 407: and determining that the terminal has the authority to access the target resource through the target application.
In this step, when the attribute information is marked as a trusted application in the access configuration information, which indicates that the target application is secure and trusted, and the terminal has passed the identity authentication phase and the access authentication phase, step 408 may be entered to allow the terminal to access the target resource through the target application.
On the other hand, when the access configuration information corresponding to the target resource identifier is not enabled, for example, the forum resource is not enabled for the trusted application check, the terminal with successful login can directly access the forum resource through any application. Step 408 may also be entered at this point to allow the terminal to access the target resource through the target application.
Step 408: and when the terminal has the authority of accessing the target resource through the target application, allowing the terminal to access the target resource through the target application. See the description of step 304 in the above embodiments for details.
Step 409: and determining that the terminal does not have the authority of accessing the target resource through the target application.
In this step, when the attribute information is marked as an untrusted application in the access configuration information, the access request may be directly denied in order to avoid being attacked by an illegal visitor to the confidential data.
In summary, as shown in fig. 5, after the terminal successfully logs in through the authentication phase, the user is granted access rights to three resources:
1. forum resources, trusted application checks not enabled, any application directly accessible.
2. Financial resources:
(1) and configuring access allowance of the trusted application and access denial of other applications. For example, the access configuration information configures an App matching the package name com.
(2) And configuring access refusal of the non-trusted application and access permission of other applications. For example, a process matching the application fingerprint 3a98E (IE 6iexplore. exe) is configured as an untrusted application, the user is denied access to the financial resources through IE 6 at the PC side, and access to the financial resources using the Chrome browser (assumed to be application C) is successful.
The access control method provides an integrated verification mode of the user identity, the equipment environment and the application program main body, further ensures the safety and the credibility of the main body, and improves the safety of data access.
Please refer to fig. 6, which is an access control apparatus 600 according to an embodiment of the present application, and the apparatus may be applied to the electronic device 1 shown in fig. 1 as the server 102, and may be applied in the scenario of the access control system 100 shown in fig. 2, so as to perform verification on an application program that a user initiates data resource access in an access process, ensure security and credibility of a subject, and improve security of data access. The device includes: the first receiving module 601, the obtaining module 602, the judging module 603 and the allowing module 604, the principle relationship of each module is as follows:
the first receiving module 601 is configured to receive an access request sent by a terminal, where the access request carries a target resource identifier to be accessed and an application identifier for sending the access request.
The obtaining module 602 is configured to obtain target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier.
The determining module 603 is configured to determine whether the terminal has the right to access the target resource through the target application according to the attribute information and the access configuration information.
And an allowing module 604, configured to allow the terminal to access the target resource through the target application when the terminal has the right to access the target resource through the target application.
In one embodiment, the determining module 603 is configured to: and judging whether the access configuration information corresponding to the target resource identifier is enabled or not. And when the access configuration information corresponding to the target resource identifier is not enabled, determining that the terminal has the right to access the target resource through the target application.
In an embodiment, the determining module 603 is further configured to: and when the access configuration information corresponding to the target resource identifier is enabled, judging whether the attribute information is marked as a trusted application in the access configuration information. And when the attribute information is marked as the trusted application in the access configuration information, determining that the terminal has the authority of accessing the target resource through the target application.
In an embodiment, the determining module 603 is further configured to: and when the attribute information is marked as the non-trusted application in the access configuration information, determining that the terminal does not have the authority of accessing the target resource through the target application.
In one embodiment, the attribute information includes: one or more of a package name, an application fingerprint, a publisher, or a program signature of the target application.
In one embodiment, the method further comprises: a second receiving module 605, configured to receive an identity authentication request of the terminal before receiving the access request sent by the terminal, where the identity authentication request carries an identifier of the terminal. The authentication module 606 is configured to perform identity authentication on the terminal according to a target authentication policy corresponding to the identifier of the terminal, and execute a step of receiving an access request sent by the terminal when the identity authentication of the terminal is successful.
In one embodiment, the target authentication policy includes: user identity authentication and/or device authentication.
For a detailed description of the access control device 600, please refer to the description of the related method steps in the above embodiments.
An embodiment of the present invention further provides a non-transitory electronic device readable storage medium, including: a program that, when run on an electronic device, causes the electronic device to perform all or part of the procedures of the methods in the above-described embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. An access control method, comprising:
receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request;
acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier;
judging whether the terminal has the authority of accessing the target resource through the target application or not according to the attribute information and the access configuration information;
and when the terminal has the authority of accessing the target resource through the target application, allowing the terminal to access the target resource through the target application.
2. The method according to claim 1, wherein the determining whether the terminal has the right to access the target resource through the target application according to the attribute information and the access configuration information comprises:
judging whether the access configuration information corresponding to the target resource identifier is enabled or not;
and when the access configuration information corresponding to the target resource identifier is not enabled, determining that the terminal has the authority of accessing the target resource through the target application.
3. The method according to claim 2, wherein the determining whether the terminal has the right to access the target resource through the target application according to the attribute information and the access configuration information further comprises:
when the access configuration information corresponding to the target resource identifier is enabled, judging whether the attribute information is marked as a trusted application in the access configuration information;
and when the attribute information is marked as a trusted application in the access configuration information, determining that the terminal has the authority of accessing the target resource through the target application.
4. The method according to claim 3, wherein the determining whether the terminal has the right to access the target resource through the target application according to the attribute information and the access configuration information further comprises:
and when the attribute information is marked as an untrusted application in the access configuration information, determining that the terminal does not have the authority of accessing the target resource through the target application.
5. The method of claim 1, wherein the attribute information comprises: one or more of a package name, an application fingerprint, a publisher, or a program signature of the target application.
6. The method of claim 1, wherein prior to receiving the access request sent by the terminal, further comprising:
receiving an identity authentication request of the terminal, wherein the identity authentication request carries an identifier of the terminal;
and performing identity authentication on the terminal according to a target authentication strategy corresponding to the identifier of the terminal, and executing the step of receiving the access request sent by the terminal when the identity authentication of the terminal is successful.
7. The method of claim 6, wherein the target authentication policy comprises: user identity authentication and/or device authentication.
8. An access control apparatus, comprising:
the first receiving module is used for receiving an access request sent by a terminal, wherein the access request carries a target resource identifier to be accessed and an application identifier for sending the access request;
the acquisition module is used for acquiring target application attribute information corresponding to the application identifier and access configuration information corresponding to the target resource identifier;
the judging module is used for judging whether the terminal has the authority of accessing the target resource through the target application according to the attribute information and the access configuration information;
and the allowing module is used for allowing the terminal to access the target resource through the target application when the terminal has the authority of accessing the target resource through the target application.
9. An electronic device, comprising:
a memory to store a computer program;
a processor to execute the computer program to implement the method of any one of claims 1 to 7.
10. A non-transitory electronic device readable storage medium, comprising: program which, when run by an electronic device, causes the electronic device to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111616579.0A CN114297708A (en) | 2021-12-27 | 2021-12-27 | Access control method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111616579.0A CN114297708A (en) | 2021-12-27 | 2021-12-27 | Access control method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114297708A true CN114297708A (en) | 2022-04-08 |
Family
ID=80969096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111616579.0A Pending CN114297708A (en) | 2021-12-27 | 2021-12-27 | Access control method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114297708A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
| CN115190483A (en) * | 2022-05-13 | 2022-10-14 | 中移互联网有限公司 | Method and device for accessing network |
| CN115878214A (en) * | 2022-11-30 | 2023-03-31 | 广西壮族自治区信息中心 | Application software access method, device, equipment and storage medium |
| CN116094849A (en) * | 2023-04-11 | 2023-05-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
-
2021
- 2021-12-27 CN CN202111616579.0A patent/CN114297708A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115190483A (en) * | 2022-05-13 | 2022-10-14 | 中移互联网有限公司 | Method and device for accessing network |
| CN115190483B (en) * | 2022-05-13 | 2023-09-19 | 中移互联网有限公司 | Method and device for accessing network |
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
| CN115065529B (en) * | 2022-06-13 | 2023-11-03 | 北京寰宇天穹信息技术有限公司 | Access control method based on trusted tag fusing key information of host and guest |
| CN115878214A (en) * | 2022-11-30 | 2023-03-31 | 广西壮族自治区信息中心 | Application software access method, device, equipment and storage medium |
| CN115878214B (en) * | 2022-11-30 | 2023-10-27 | 广西壮族自治区信息中心 | Application software access method, device, equipment and storage medium |
| CN116094849A (en) * | 2023-04-11 | 2023-05-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
| CN116094849B (en) * | 2023-04-11 | 2023-06-09 | 深圳竹云科技股份有限公司 | Application access authentication method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fredj et al. | An OWASP top ten driven survey on web application protection methods | |
| EP3029593B1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
| EP1255179B1 (en) | Methods and arrangements for controlling access to resources based on authentication method | |
| Gollmann | Computer security | |
| CN114297708A (en) | Access control method, device, equipment and storage medium | |
| US9143509B2 (en) | Granular assessment of device state | |
| US20150121532A1 (en) | Systems and methods for defending against cyber attacks at the software level | |
| US20110314558A1 (en) | Method and apparatus for context-aware authentication | |
| US20120311696A1 (en) | Override for Policy Enforcement System | |
| JPH0695947A (en) | Method for detecting alias on computer system, decentralized computer system and operating method thereof and decentralized computer system for detecting alias | |
| US11783016B2 (en) | Computing system and method for verification of access permissions | |
| CN113315637B (en) | Security authentication method, device and storage medium | |
| RU2634174C1 (en) | System and method of bank transaction execution | |
| EP4229532B1 (en) | Behavior detection and verification | |
| CN110912855A (en) | Block chain architecture security assessment method and system based on permeability test case set | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| US8261328B2 (en) | Trusted electronic communication through shared vulnerability | |
| US20230315890A1 (en) | Call location based access control of query to database | |
| CN112434270A (en) | Method and system for enhancing data security of computer system | |
| CN111753304A (en) | System and method for performing tasks on a computing device based on access rights | |
| US20090204544A1 (en) | Activation by trust delegation | |
| CN113591053A (en) | Method and system for identifying general mobile equipment based on biological information | |
| Krishnan et al. | PAM: process authentication mechanism for protecting system services against malicious code attacks | |
| CN116545650B (en) | Network dynamic defense method | |
| RU2757408C1 (en) | System and method for forming rule for checking file for maliciousness |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co.,Ltd. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing Applicant before: Qianxin Technology Group Co.,Ltd. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |